Application Security Checklist

Securitysecuritychecklistappsecowasp

Application security checklist with 38 checks across authentication, authorization, I/O, and infrastructure.

Prompt

Create a comprehensive security checklist for: {{application_type}}

Stack: {{tech_stack}}
Auth method: {{auth_type}}
Data types handled: {{sensitive_data}}
Deployment: {{cloud_provider}}

Security checklist by category:

1. **Authentication** (12 checks):
   - [ ] Password hashing with bcrypt/argon2 (cost factor ≥12)
   - [ ] Account lockout after 5 failed attempts
   - [ ] MFA available and encouraged
   - [ ] Session timeout (30 min idle, 24 hour absolute)
   - [ ] Secure password reset flow (time-limited token, single use)
   - [ ] OAuth state parameter validated
   - [ ] JWT tokens: short expiry, refresh rotation, proper signing
   - [ ] Login attempt rate limiting
   - [ ] Credential stuffing protection
   - [ ] No credentials in URL parameters
   - [ ] Secure remember-me implementation
   - [ ] Account enumeration prevention

2. **Authorization** (8 checks):
   - [ ] Every endpoint checks permissions
   - [ ] IDOR prevention (users can't access others' data)
   - [ ] Role-based access control implemented
   - [ ] API key permissions are scoped
   - [ ] File access controls
   - [ ] Admin functions protected
   - [ ] Horizontal privilege escalation checked
   - [ ] Vertical privilege escalation checked

3. **Input/Output** (10 checks):
   - [ ] All input validated server-side (never trust client)
   - [ ] Output encoding to prevent XSS
   - [ ] Parameterized queries to prevent SQL injection
   - [ ] File upload validation (type, size, content)
   - [ ] URL redirect validation
   - [ ] XML parsing: XXE prevention
   - [ ] JSON parsing: prototype pollution prevention
   - [ ] Content-Type enforcement
   - [ ] Request size limits
   - [ ] HTML sanitization for user content

4. **Infrastructure** (8 checks):
   - [ ] HTTPS enforced everywhere
   - [ ] Security headers (CSP, HSTS, X-Frame-Options)
   - [ ] CORS configured narrowly
   - [ ] Dependencies scanned for vulnerabilities
   - [ ] Secrets in environment variables, not code
   - [ ] Logging of security events
   - [ ] Error messages don't leak internals
   - [ ] Regular penetration testing scheduled

What you get when you save this prompt

Your workspace unlocks powerful tools to iterate and improve.

AI OPTIMIZE

AI Optimization

One-click improvement with structure analysis and pattern suggestions.

VERSION DIFF

Version History

Track every edit. Compare versions side-by-side with word-level diffs.

ORGANIZE

Development

Code Review

Testing

Marketing

Folders & Tags

Organize your library with nested folders, tags, and drag-and-drop.

MCP

$ npm i -g @promptingbox/mcp

Claude · Cursor · ChatGPT

Use Everywhere

Access prompts from Claude, Cursor, ChatGPT & more via MCP integration.

Your prompts, organized

Save, version, and access your best prompts across ChatGPT, Claude, Cursor, and more.